▾ G11 Media Network: | ChannelCity | ImpresaCity | SecurityOpenLab | Italian Channel Awards | Italian Project Awards | Italian Security Awards | ...
InnovationOpenLab

First Annual OSC&R Report Reveals 95% of Organizations Have at Least One Severe Security Risk Within their Software Supply Chain

OX Security, the pioneer in Active Application Security Posture Management (Active ASPM), today issued the OSC&R community’s inaugural software supply chain threat report, "OSC&R in the Wild...

Business Wire

OX Researchers Analyze Millions of Vulnerabilities Against the Industry’s First Supply-Chain Security Specific Attack Matrix

NEW YORK & TEL AVIV, Israel: OX Security, the pioneer in Active Application Security Posture Management (Active ASPM), today issued the OSC&R community’s inaugural software supply chain threat report, "OSC&R in the Wild: A New Look at the Most Common Software Supply Chain Exposures." Based on a nine-month analysis of over 100 million alerts, tens of thousands of code repositories, and 140,000 real-world applications, the report is the first comprehensive analysis of the severity of vulnerabilities across the software supply kill chain. OSC&R in the Wild quantifies the ongoing challenge of detecting and remediating severe security risks among the 97% of benign alerts, and offers guidance for adopting a more proactive, attacker-centric security strategy.

The Open Software Supply Chain Attack Reference (OSC&R) framework, first published in early 2023, was developed collaboratively by cybersecurity veterans from OX Security, Microsoft, Oracle, GitLab, Fortinet, FICO, and more. OSC&R is a MITRE ATT&CK-like framework that gives organizations a single point of reference to proactively assess their strategies to secure their software supply chains. The goal of this inaugural OSC&R report is to help AppSec teams better understand how adversaries view and target the entire kill chain, and to help prioritize where best to focus their limited resources.

The report found that many applications contained multiple vulnerabilities spanning various stages of the kill-chain, leaving them even more vulnerable to a successful attack. And a surprising number of long-documented vulnerabilities were still frequently found in the wild. For instance, older tactics such as backdoor code insertion remain prevalent. The recently discovered CVE-2024-3094 exploit, targeting XZ Utils in major Linux distributions, shows that attackers still successfully use this method. The widespread presence of these vulnerabilities in the report’s code samples underscores the persistent risk.

Key Findings include:

  • AppSec teams face an unmanageable volume of alerts: The average AppSec team monitors 129 applications and triages over 119,000 security alerts annually.
  • Most organizations face high severity risks: 95% percent of organizations had at least one high, critical, or apocalyptic risk (the three highest rankings of severity) within their software supply chain, with the average organization having nine such issues
  • One in five applications contain run-time exposure: Analysis against attack phases showed that 20% of all applications have high, critical, or apocalyptic issues during the Execution stage, where attackers aim to deploy malicious code.
  • Older vulnerabilities are still the most common: While some newer tactics did appear, the three most frequently observed vulnerabilities: command injection (15.4% of applications), sensitive data in log files (12.4% of applications), and cross-site scripting (11.4% of applications) have all been around for many years.
  • Six of the top ten most commonly observed vulnerabilities are tied to poor implementation of fundamental security practices such as authentication, encryption, exploitable information in logs, and the principle of least privilege.
  • Automated alert analysis helps reduce the noise: automated, contextual analysis dramatically reduced the volume of overall alerts by more than 97%, accelerating the identification of the critical alerts organizations need to address.

“One of the questions our researchers sought to answer was whether there was alignment between the vulnerabilities found in the wild and the focus of AppSec teams,” said Neatsun Ziv, CEO of OX Security. “The data suggests there is a misalignment. We found significant vulnerabilities at every stage of the kill chain. The volume of vulnerabilities passing through the supply chain into live applications, and the high percentage of organizations reporting incidents, indicate that AppSec teams need to focus on both threat detection and fostering a culture of continuous improvement and adaptation in security practices.”

Utilizing the OSC&R framework with Application Detection and Response (ADR) and Application Security Posture Management (ASPM), organizations can gain a comprehensive understanding of their software supply chain vulnerabilities, adopting a more proactive, attacker-centric security strategy. This approach will help foresee potential threats and implement robust defenses, ultimately reducing the likelihood of severe vulnerabilities reaching production code.

“As reliance on software supply chains has increased for enterprise application development, attackers have been quick to exploit vulnerabilities within third-party code,” said David Cross, former Microsoft and Google cloud security executive and founding OSC&R member. “The OSC&R report underscores the critical importance of the OSC&R framework in addressing software supply chain vulnerabilities. The report not only highlights the pervasive nature of these threats but also provides a comprehensive methodology for AppSec teams to prioritize their efforts effectively. By leveraging the OSC&R framework, organizations can gain deeper insight into adversarial behaviors and better align their security strategies to mitigate risks. It's an invaluable resource for any organization looking to strengthen their software supply chain security posture.”

Download the full "OSC&R in the Wild: A New Look at the Most Common Software Supply Chain Exposures" report here.

About the OSC&R Community

The Open Software Supply Chain Attack Reference (OSC&R) community is a collaborative effort dedicated to enhancing the security of software supply chains. Launched in February 2023 and spearheaded by OX Security, the community includes cybersecurity veterans from OX Security, Microsoft, Oracle, GitLab, Fortinet, and FICO. These experts created the OSC&R framework, modeled after MITRE ATT&CK, to help organizations assess their software supply chain security strategies, identify vulnerabilities, and compare solutions effectively. As an open-source framework, OSC&R provides actionable insights into the tactics, techniques, and procedures (TTPs) used by adversaries to compromise software supply chains. By providing a standardized language and framework, OSC&R empowers the security community to proactively secure software supply chains and mitigate risks. For more information, visit pbom.dev or join the conversation and contribute to our Slack community.

About OX Security

At OX Security, we’re unifying application security (AppSec) with the first-ever Active ASPM platform, which ensures seamless visibility and traceability from code to cloud. Leveraging our proprietary AppSec Data Fabric, OSC&R framework, and Attack Path Reachability Analysis, OX delivers comprehensive security coverage, contextualized prioritization, and automated response and remediation throughout the software development lifecycle. Recently recognized as a Gartner Cool Vendor and a SINET 16 Innovator, OX is trusted by dozens of global enterprises and tech-forward companies. Founded by industry leaders Neatsun Ziv, former VP of CheckPoint’s Cyber Security business unit, and Lior Arzi from Check Point's Security Division, OX’s Active ASPM platform is more than a solution; it empowers organizations to take the first step toward eliminating manual AppSec practices while enabling scalable and secure development.

Fonte: Business Wire

If you liked this article and want to stay up to date with news from InnovationOpenLab.com subscribe to ours Free newsletter.

Related news

Last News

Sparkle and Telsy test Quantum Key Distribution in practice

Successfully completing a Proof of Concept implementation in Athens, the two Italian companies prove that QKD can be easily implemented also in pre-existing…

Dronus gets a strategic investment by Eni Next

Eni's VC company invest in the Italian drone company to develop new solutions for industrial plants monitoring

Technology Reply wins the 2024 Oracle Partner Awards - Europe South Innovation

Oracle recognizes Technology Reply’s ability to develop and deliver pioneering solutions through partnering with Oracle

25 Italian Startups Will Be Present at Expand North Star 2024

Scheduled for October, the world's largest startup event will bring together more than 2,000 exhibitors in Dubai, UAE

Most read

24 Promising Korean Tech Companies at TechCrunch Disrupt 2024

TechCrunch Disrupt 2024 will feature cutting-edge technology from 24 tech startups from South Korea. The Korea Pavilion is presented by Korea Trade-Investment…

Audit & Beyond Hosts Record Number of Attendees, Includes Launch of Powerful…

2024 AUDIT & BEYOND CONFERENCE — AuditBoard, the leading cloud-based platform transforming audit, risk, compliance, and ESG management, wrapped up…

University of Phoenix Launches New Career-Focused Skill Pathways in Practical…

In response to the growing demand for AI skills in the workforce, University of Phoenix is excited to announce the launch of new career-focused skill…

$16.4 Billion AI in Wound Care Market Industry Trends and Global Forecasts,…

The "AI in Wound Care Market Industry Trends and Global Forecasts to 2035: Distribution by Type of Wound, Type of Acute Wound, Type of Chronic Wound,…

Newsletter signup

Join our mailing list to get weekly updates delivered to your inbox.

Sign me up!